See previous reply, thanks.

Best Regards,


-----Original Message-----
From: Jeremy Rowley []
Sent: Thursday, August 25, 2016 3:41 AM
To: Peter Bowen <>; Gervase Markham <>
Cc:; Richard Wang 
Subject: RE: Incidents involving the CA WoSign

That's true. I think WoSign should chime in and provide clarity about what
happened. There's far too many innocent explanations to start crying foul.

However, the fact a researcher was able to obtain a cert without proper domain
validation is pretty serious. I'd like to hear more details about how this was
accomplished. Ports 8080 and 8443 aren't that uncommon so penalizing someone
merely for port use seems harsh when there wasn't a policy against it.

-----Original Message-----
From: Peter Bowen []
Sent: Wednesday, August 24, 2016 10:45 AM
To: Gervase Markham <>
Cc: Jeremy Rowley <>;; Richard Wang
Subject: Re: Incidents involving the CA WoSign

On Wed, Aug 24, 2016 at 9:30 AM, Gervase Markham <> wrote:
> On 24/08/16 17:12, Jeremy Rowley wrote:
>> On incident 2, it sounds like they are both using the same
>> auto-generation script.
> It seems like a bit more than that, doesn't it? Let's presume that
> WoSign did not ship a copy of their intermediate cert's private key to
> StartCom. Therefore, this cert must have been issued on the back end
> by some sort of WoSign system. So either WoSign's back-end issuing
> service has some form of authentication and the StartCom system had
> those credentials (why?), or the WoSign system does not have any form
> of authentication (concerning).

I think you are missing the most likely option: CA hosting.  My understanding
is that it is not uncommon that one CA operator contracts with another CA
operator to run a CA on behalf of the first operator.  I don't think it has
been clear what disclosure of this practice is required.  Given that I believe
this is widespread, I assumed that all of the issuing CAs in this case were
operated by the same entity.


Attachment: smime.p7s
Description: S/MIME cryptographic signature

dev-security-policy mailing list

Reply via email to